Originally posted by chirpy
If you don't like it, why don't you just turn the feature off, then?

Click to expand...

The feature was developed in an effort to track the source of people spamming. By turning it off, you then loose that information. Not very sensible if you want to stop spammers.

If you read my post again, you might notice that I was not opposing the use of anti-spam measures, only that the latest method used by CPanel is at the expense of security.

Originally posted by chirpy It's hardly much of a security risk.

Click to expand...

Hackers need a username and password to login to a website (obvious I know), and if they know the username, it is, I am well informed, then reasonably easy to brute force the login to the website. Why would you want to assist a hacker, and make it easy for them, by making the username public ??

Strange though it seems, people who say it is not a security risk for the (login) username to be made public, are never willing to make their own usernames public. :D

Originally posted by LifelessHost
Did you ever think that your forum username is public here

Click to expand...

Of course it is public.

1. Do you really think I would use the same (forum) username for any logins to websites. (doh !!! ).

2. If someone did happen to 'crack' my CPanel password, it's no concern to me, after all a forum login is not the same as a website login. What can be done in a forum, post, that's all. What can be done on a website, a lot. You cannot therefore compare a forum login to a website login, the two are mutually exclusive.

Originally posted by LifelessHost or that your email username is public ?

Click to expand...

.... wrong, my email is NOT public. :D

Originally posted by LifelessHost Just because a username is public doesn't mean a thing.

Originally posted by myusername
However I agree even parsing the domain name rather than /home/user would be a better security model.

Click to expand...

Yep, agreed.

As the CPanel 'mod' is apparently a perl script, I have been finding out how to 'disguise' the UID in Perl, and use the Blowfish algorithm to encrypt either the username or UID. Only the 'sysadmin' type person would know the key parsed to the Perl/encrypt module, to be able to then decrypt it, if need be.

Peter, although you bring up a good point, sending your concerns to DarkOrb and/or creating updated (better?) code for the situation would be the best thing to do. Discussing these type situations is a good thing, but will not usually bring any satisfactory results.

Your point is also somewhat old as this is the same method/problem used by Cpanel and the Web based eMail -- Horde, SquirrelMail, NeoMail. By default these scripts use the accountID in the eMail address and, although I can see & understand the reasoning behind it, Clients need to be taught the security issues and how to change these defaults.

Also, I just had a look at the Headers of a recent eMail and do not see what you describe. Is what you mention a feature that must be manaully turned on somewhere?

I have to agree with Perterr on this issue. Yes, my forum name is public, but so what - all anybody can do using my username in these forums is post a few bogus messages - big deal. As for WHM username being common knowledge - well hopefully admins use a random password so brute force can't crack it.

When it comes to clients though - the situation is VERY DIFFERENT. Although I provide free scripts to generate random passwords MOST of my clients choose a dictionary word as the password. Brute force is easy.

Once a hacker breakes into a clients cpanel they can basically spam away, they can also install nasty scripts to port scan. This can basically lead your DC to thinking your box is hacked and it being disconnected.

Not a happy scenario.

I use many better methods to check for spamming so hopefully cpanel will make this new feature turn off-able - as i sure don't want it.

If your worried about spammers install mailwatch - this is a much better way to catch spam BEFORE it becomes a problem.

Originally posted by Website Rob
Peter, although you bring up a good point, sending your concerns to DarkOrb and/or creating updated (better?) code for the situation would be the best thing to do. Discussing these type situations is a good thing, but will not usually bring any satisfactory results.

Click to expand...

Okay, point taken. Sorry, I don't know 'DarkOrb', but I assume it is a person/process for submitting suggestions or mods to code. I was informed the mod by CPanel works by running a Perl script from Exim, and as I'm not real good with Perl, sought the Perl Monks forum (http://perlmonks.org), and the mods would be very minor to still send out the username in the "X-Source-Dir:" email header, but encrypted, An example, if we had the username of 'billblog'

I have commented out the last line, because the working example is somewhere else at present, and I can't remember if I had to do the unpack. Essentially, it is like encoding emails, you have to make sure there are no special chars which tend to upset email servers. :D

All the above code does is do a HEX pack of length 16, the encryption key in this example is "0123456789ABCDEF", and can be anyting of course. Only the sysadmin type person would know this. I have been well informed that the Blowfish encryption is very good, basically without the key, you cannot decrypt it (unless you are a hacker/criminal).

2. This part only needs to be done to see who is spamming (i.e. when it happens)

Again, not too sure about unpacking, but my working example did the decryption back to value 'billblog' perfectly.

So what we may see in an email header is:

X-Source-Dir: /home/3E9jF5W10PlB74cs1a/public_html

(That's not the real encrypted username, but you get the idea.

Originally posted by Website Rob Your point is also somewhat old as this is the same method/problem used by Cpanel and the Web based eMail -- Horde, SquirrelMail, NeoMail. By default these scripts use the accountID in the eMail address and, although I can see & understand the reasoning behind it, Clients need to be taught the security issues and how to change these defaults.

Click to expand...

Yes, client education is a big issue. I just installed osCommerce for a client and usually I look after everything, so I can account for all the security side of things. However, he needs to maintain the website content, now there will be potentially more places where security _may_ lapse. It will be a mix of education and some security changes I think.

Re Cpanel, yes there are issues there, I'm also amazed that WHM sends an email with the username and password when a new account is created. Sorry, but I can't understand that ?? Web based email, ... I always setup websites with at least one email box/account, so that nothing goes to the default email (the one that will put the accountID in the email address). That seems to work fine, except it can depend on the hosts you use and their setup.

Originally posted by Website Rob Also, I just had a look at the Headers of a recent eMail and do not see what you describe.

Click to expand...

I see them in the CPanel notification emails, although they are currently empty:

X-Source:
X-Source-Args:
X-Source-Dir:

Click to expand...

Originally posted by Website Rob Is what you mention a feature that must be manaully turned on somewhere ?

Originally posted by rs-freddo As for WHM username being common knowledge - well hopefully admins use a random password so brute force can't crack it.

Click to expand...

Our host lets us use an SSL connection to the WHM, I guess most would do this, nice to know the connection is secure. But then all that "good" is wasted when WHM sends out an email, in plain text. of usernames and passwords when a new account is created, and to add to the 'torture', puts the WHM username at the bottom of the email (yikes). Possibly there is a config somewhere to stop this, I, as a WHM user don't want to know that info, or if I do, I copy/paste it somewhere. Passwords; ...... yep, something long and full of strange chars helps a lot.

Originally posted by rs-freddo When it comes to clients though - the situation is VERY DIFFERENT. Although I provide free scripts to generate random passwords MOST of my clients choose a dictionary word as the password. Brute force is easy.

Click to expand...

Well, you are being very responsible to help your clients that way. Would it be much work for the script to check a db of dictionary names, or make sure the pwd was completely nonsense, if you know what I mean ?? I remember my days on a VAX computer (Digital - DEC) and we had to change our passwords about every 3 mths, and it couldn't be one we had used before, nor one that could be easily guessed.

Originally posted by rs-freddo Once a hacker breaks into a clients cpanel they can basically spam away, they can also install nasty scripts to port scan. This can basically lead your DC to thinking your box is hacked and it being disconnected.

Click to expand...

Yep, good point, so if a clients CPanel is hacked, and spam gets sent out, who gets the blame, the client for not keeping login details more secure, or the host, for turning on mods that give hackers the username. :D

I don't know much about hacking, but without the username, nothing can be hacked, true ?? Unless osmeone would be crazy enough (or criminally minded enough) to try and brute force both, wow, think of the maths to work out how many combinations to try, absolutely millions, and then they usually are matched to dictionaries/words,etc.

Originally posted by rs-freddo I use many better methods to check for spamming so hopefully cpanel will make this new feature turn off-able - as i sure don't want it.

Click to expand...

I'm 100% certain it is turn-offable, as when I complained to the hosts, they did take it off, and now emails don't have those headers.

Originally posted by rs-freddo If your worried about spammers install mailwatch - this is a much better way to catch spam BEFORE it becomes a problem.

Click to expand...

Hmm, haven't heard about that product. I have also asked in the Exim forums, if there is a method to configure the Exim logs to show email message ID (unique# I understand), time/date stamp and username. That way, only the 'sysadmin' people can see it, and not the public.

mailwatch is a little php script put out there by a cpanel user. I have mine setup to notify me whenever a user sends out more than 20 emails in 10 minutes. This is probably a bit low for most Hosting companies but it works for me. I collect email every 10 minutes so basically I know within 20 minutes if bulk email is being sent out. I use phpsuexec so the email logs always show the correct sender (not nobody). It's usually easier for me to just check the queue as there is always some email caught in it - I can read the bulk email and make sure the bulk email is one of my clients valid lists (not a hacker).

to find out more about mailwatch just do a search on this forum for mailwatch and rs-freddo - you'll find the thread where someone put me onto this (about 3 months old).

Originally posted by rs-freddo
mailwatch is a little php script put out there by a CPanel user. I have mine setup to notify me whenever a user sends out more than 20 emails in 10 minutes. This is probably a bit low for most Hosting companies but it works for me.

Click to expand...

Okay, thanks, sounds like it is for a sysadmin person/use. I don't have that level of access, only do web hosting, look after websites, so I use WHM/CPanel quite a bit. I'm simply trying to protect the usernames of my clients, some of the sites they run people can send themselves an email (oops, I fogot my password), and so anything like that, email initiated from the website, will have the "X-Source" email hdrs, if configured that way.

If I don't be responsible and do all I can to protect my clients username, then the security to their websites is compromised, and the buck stops at me. :D